lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 27 Jul 2013 18:00:51 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <full-disclosure@...ts.grok.org.uk>
Subject: Defense in depth -- the Microsoft way (part 5): sticky, persistent vulnerabilities

Hi,

with Windows XP (about 12 years ago) Microsoft introduced the
so-called "side-by-side" technology to overcome "DLL hell".

With "side-by-side" technology several versions of a DLL can be
installed on a system at the same time, for global use by any
application; the "side-by-side" store is located in the
subdirectory "WinSxS" of the "Windows" directory.

Applications, for example "filename.exe", that need to use/load a
"side-by-side" DLL have to provide a 'Manifest', either as resource
linked  into the application or as an external file named
"filename.manifest" to let the loader locate the "side-by-side" DLL.
Cf. <http://msdn.microsoft.com/library/aa384082.aspx>


BUT...
Microsoft NEVER purges OUTDATED and/or VULNERABLE DLLs from the
"side-by-side" store, and Microsoft does NOT provide a utility to
cleanup the mess^H"DLL hell" accumulated in the "side-by-side" store.


The result: every application can request via 'Manifest' to load a
VULNERABLE version of any DLL present in the "side-by-side" store,
effectively circumventing ANY security patches installed for these
DLLs.
Cf. <http://msdn.microsoft.com/library/aa375141.aspx>.

If you think now: but there is a publisher configuration
(cf. <http://msdn.microsoft.com/library/aa375680.aspx>)
that redirects old versions to the patched version: the publisher
configuration is overridden by a per-application configuration,
cf. <http://msdn.microsoft.com/library/ee710783.aspx> and
<http://msdn.microsoft.com/library/aa375667.aspx>


Common candidates to tinker with on Windows XP and 2003 are
(see Start->Run CMD.EXE /K dir /S /B %SystemRoot%\WinSxS\*.DLL):

- WINHTTP.DLL              (installed 3 times on a fully patched 2003)

- COMCTL32.DLL             (installed 3 times on a fully patched XP,
                            and 4 times on a fully patched 2003)

- GDIPLUS.DLL              (installed 4 times on a fully patched XP,
                            and 3 times on a fully patched 2003)

- MSVCRT.DLL & MSVCIRT.DLL

- MSVC?80.DLL

- MSVC?90.DLL

- MFC*.DLL

- ATL*.DLL

- VCOMP*.DLL

Cf. <http://msdn.microsoft.com/library/ms235624.aspx>


For Windows Vista and later: run the command given above and see yourself!


stay tuned
Stefan Kanthak


PS: if you find any of these "side-by-side" DLLs in %ProgramFiles%,
    %ProgramFiles(x86)% or other locations: ask the developers/vendors
    who installed them there to take a REALLY THOROUGH look at
    <http://support.microsoft.com/kb/835322>!

    And don't forget to file bug reports against any product that
    installed OUTDATED and/or VULNERABLE DLLs!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ